CyberX has discovered a new, large-scale cyber-reconnaissance operation targeting a broad range of targets in the Ukraine. Because it eavesdrops on sensitive conversations by remotely controlling PC microphones – in order to surreptitiously “bug” its targets – and uses Dropbox to store exfiltrated data, CyberX has named it “Operation BugDrop.”

Operation BugDrop: Targets

CyberX has confirmed at least 70 victims successfully targeted by the operation in a range of sectors including critical infrastructure, media, and scientific research. The operation seeks to capture a range of sensitive information from its targets including audio recordings of conversations, screen shots, documents and passwords. Unlike video recordings, which are often blocked by users simply placing tape over the camera lens, it is virtually impossible to block your computer’s microphone without physically accessing and disabling the PC hardware.

Most of the targets are located in the Ukraine, but there are also targets in Russia and a smaller number of targets in Saudi Arabia and Austria. Many targets are located in the self-declared separatist states of Donetsk and Luhansk, which have been classified as terrorist organizations by the Ukrainian government.

A company that designs remote monitoring systems for oil & gas pipeline infrastructures.

An international organization that monitors human rights, counter-terrorism and cyberattacks on critical infrastructure in the Ukraine.

An engineering company that designs electrical substations, gas distribution pipelines, and water supply plants.

A scientific research institute.

Editors of Ukrainian newspapers.

Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources. In particular, the operation requires a massive back-end infrastructure to store, decrypt and analyze several GB per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics.

Initially, CyberX saw similarities between Operation BugDrop and a previous cyber-surveillance operation discovered by ESET in May 2016 called Operation Groundbait. However, despite some similarities in the Tactics, Techniques, and Procedures (TTPs) used by the hackers in both operations, Operation BugDrop’s TTPs are significantly more sophisticated than those used in the earlier operation. For example, it uses:

Dropbox for data exfiltration, a clever approach because Dropbox traffic is typically not blocked or monitored by corporate firewalls.

Reflective DLL Injection, an advanced technique for injecting malware that was also used by BlackEnergy in the Ukrainian grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities. Reflective DLL Injection loads malicious code without calling the normal Windows API calls, thereby bypassing security verification of the code before its gets loaded into memory.

Legitimate free web hosting sites for its command-and-control infrastructure. C&C servers are a potential pitfall for attackers as investigators can often identify attackers using registration details for the C&C server obtained via freely-available tools such as whois and PassiveTotal. Free web hosting sites, on the other hand, require little or no registration information. Operation BugDrop uses a free web hosting site to store the core malware module that gets downloaded to infected victims. In comparison, the Groundbait attackers registered and paid for their own malicious domains and IP addressees.

Operation BugDrop infects its victims using targeted email phishing attacks and malicious macros embedded in Microsoft Office attachments. It also uses clever social engineering to trick users into enabling macros if they aren’t already enabled.

How CyberX Investigated Operation BugDrop

CyberX’s Threat Intelligence Research team initially discovered Operation BugDrop malware in the wild. The team then reverse-engineered the code to analyze its various components (decoy documents used in phishing attacks, droppers, main module, microphone module, etc.) and how the malware communicates with its C&C servers. The team also needed to reverse-engineer exactly how the malware generates its encryption keys.

Distribution of Targets by Geography

Compilation Dates

The modules were compiled about a month after ESET announced the existence of Operation Groundbait. If the two operations are indeed related, this might indicate the group decided it needed to change its TTPs to avoid detection.

This is translated as: “Attention! The file was created in a newer version of Microsoft Office programs. You must enable macros to correctly display the contents of a document.”

Based on the document metadata, the language in which the list is written is Ukrainian, but the original language of the document is Russian.

The creator of the decoy document creator is named “Siada.”

Last modified date is 2016-12-22 10:37:00

The document itself (below) shows a list of military personnel with personal details such as birthdate and address:

Decoy document with personal information about military personnel

2. Main Downloader

The main downloader is extracted from the decoy document via a malicious VB script that runs it from the temp folder.

The downloader has low detection rates (detected by only 4 out of 54 AV products).

3. Dropper — Stage 0

The icon for the downloader EXE was copied from a Russian social media site (http://sevastopol.su/world.php?id=90195).

The icon itself is a meme that jokes about Ukrainians (http://s017.radikal.ru/i424/1609/83/0c3a23de7967.jpg).

Dropper icon

Russian social media site from where icon for dropper EXE was obtained

The dropper has 2 DLLs stored in its resources; they are XOR’ed in such way that the current byte is XOR’ed with the previous byte.

This technique is much better than just plain XOR because it results in a byte distribution that doesn’t look like a normal Portable Executable (PE) file loader. This helps obfuscate the file so that it will not be detected by anti-virus systems.

Not all of the plugins are downloaded to every target. Each module has a unique extension which is the client ID. This is how the main module knows which modules should be downloaded to a particular target.

Conclusions

1) Operation BugDrop was a cyber-reconnaissance mission; its goal was to gather intelligence about targets in various domains including critical infrastructure, media, and scientific research. We have no evidence that any damage or harm has occurred from this operation, however identifying, locating and performing reconnaissance on targets is usually the first phase of operations with broader objectives.

2) Skilled hackers with substantial financial resources carried out Operation BugDrop. Given the amount of data analysis that needed to be done on daily basis, we believe BugDrop was heavily staffed. Given the sophistication of the code and how well the operation was executed, we have concluded that those carrying it out have previous field experience. While we are comfortable assigning nation-state level capabilities to this operation, we have no forensic evidence that links BugDrop to a specific nation-state or group. “Attribution” is notoriously difficult, with the added difficulty that skilled hackers can easily fake clues or evidence to throw people off their tail.

3) Private and public sector organizations need to continuously monitor their IT and OT networks for anomalous activities indicating they’ve been compromised. Fortunately, new algorithmic technologies like behavioral analytics are now available to rapidly identify unusual or unauthorized activities with minimal false positives, especially when combined with actionable threat intelligence. Organizations also need deep forensics to identify the scope and impact of a breach, as well as an enterprise-wide incident response plan that can be carried out quickly and at scale.